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Abstract 


Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other 
digital forensics tools. It is an open-source tool for digital forensics which was developed by 
Basis Technology. This tool is free to use and is very efficient in the nature investigation of hard 
drives. It also consists of features like multi-user cases, timeline analysis, Keyword search, email 
analysis, registry analysis, EXIF analysis, detection of malicious files, etc 


The forensic investigation that is carried out on the disk image is displayed here. The results 
obtained here are of help to investigate and locate relevant information. This tool is used by 
law enforcement agencies, local police and can also be used in the corporates to investigate 
the evidence found in a computer crime. It can likewise be utilized to recuperate information 
that has been erased. 
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Autopsy for Kali Linux 


The tool can manage cases, check the integrity of the image, keyword search and other automated 
operations. 


e Investigator can analyse Windows and UNIX storage disks and file systems like NTFS, FAT, 
UFS1/2, Ext2/3 using Autopsy. 

e Autopsy is used by law enforcement, military, and corporate examiners to conduct 
investigations on a victim’s or a criminal’s PC. 

e One can also use it to recover photos from one’s camera's memory card. 


Autopsy Forensic Browser is a built-in application in Kali Linux 


operating system, so let’s power on the Kali in a Virtual Machine. 


Purpose of Autopsy 


= For analysis of metadata information. 

=" To recover the deleted data. 

=" To search data based on regular expression. 

= To analyse the contents of a folder and its deleted files. 
= To report the activities of the recovered image. 


GNiT & 


Technologies 


Creating a New Case 


Open a new terminal and type ‘Autopsy’ and open http://localhost:9999/autopsy in your browser 
where you will be redirected to the home page of Autopsy Forensic Browser. It will run on our local 
web server using the port 9999. 


root@Jeenali: ~# autopsy << 


Autopsy Forensic Browser 
http: //wa.sleuthkit.org/autopsy/ 
ver 2.24 


Evidence Locker: /var/lib/autopsy 
Start Time: Wed Aug 12 20:37:30 2020 
Remote Host: Localhost 

Local Port: 9999 


Open an HTML browser on the remote host and paste this URL in it: 


http: //lLocalhost:9999/autopsy 


Keep this process running and use <ctrl-c> to exit 


Now you will see three options on the home page. 

= Open Case 

= New Case 

=" Help 
For investigation, you need to create a new case and click on . In doing this it will add a 
new case folder to the system and allow you to begin adding evidence to the case. 


@® localhost 


You do not need Java Script to use Autopsy and it is recommended that it be turned off for 


Autopsy Forensic Browser 2.24 


http: //www.sleuthkit.org/autopsy/ 
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! Now you will be directed to a new page, where it will require case details. You can Name the case 
and mention the description. You can also mention the names of multiple investigators working the 
_case. After filling in these details, now you can select ‘New case’. 


| 
i) localhost 


CREATE A NEW CASE 


1. Case Name: The name of this investigation. It can contain only letters, 
numbers, and symbols. 


Casel1 


2. Description: An optional, one line description of this case. 
Ignite Technologies| 


3. Investigator Names: The optional names (with no spaces) of the 
investigators for this case. 


a. Jeenali . Raj 
c. 
e. 


g. 


_ The new case will be stored in i.e., / 


sase1/, and the configuration file will be stored 
ut. Now, create the host for investigation and click on ‘Add Host’. 


| in /var/lib/autopsy/case0 


@ localhost 
Creating Case: case1 
Case directory (/var/lib/autopsy/Case1/) created 


Configuration file (/var/lib/autopsy/Casel/case.aut) created 


We must now create a host for this case. 


Please select your name from the list: Jeenaliv 
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Once you add the host, put the name of the computer you are investigating and describe the 
investigation. You can also mention the time zone or you can also leave it blank which will select the 
default setting, time skew adjustments may be set if there is a difference in time and you can add the 
new host. Click on ‘Add Host’. 


i) localhost 


1. Host Name: The name of the computer being investigated. It can 
contain only letters, numbers, and symbols. 


Client 


2. Description: An optional one-line description or note about this 
computer. 


Ignite Technologies case study 


3. Time zone: An optional timezone value (i.e. EST5EDT). If not given, it 
defaults to the local setting. A list of time zones can be found in the help 
files. 


IST 


4. Timeskew Adjustment: An optional value to describe how many 
seconds this computer's clock was out of sync. For example, if the 
computer was 10 seconds fast, then enter -10 to compensate. 


10| 


5. Path of Alert Hash Database: An optional hash database of known 
bad files. 


6. Path of Ignore Hash Database: An optional hash database of known 
good files. 
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Add Image File 


The path to the evidence directory will be displayed and now you can proceed to add an image 
for investigation. 


localhost 


Adding host: client to case Case1 
Host Directory (/var/lib/autopsy/Case1/Client/) created 
Configuration file (/var/lib/autopsy/Case1/Client/host aut) created 


We must now import an image file for this host 


It is a golden rule of Digital forensics, that one should never work on the original evidence and hence 
an image of the original evidence should be created. An image can be created in various methods and 
tools as well as in various formats. 

Once the image is acquired, the ‘Add Image File’ option will allow you to import the image file to 
analyse. 


@ localhost 


No images have been added to this host yet 
Select the Add Image File button below to add one 


FICE ACTIVITY TIME LINES J = wen tJASH DATABASES. _ 


View Notes j EVENTSEQUENCER 
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Mention the path to the image file and select the file type. Also, choose the import method of your 
choice and click on ‘Next’ 


@® localhost 


Case: Casel 
Host: Client 
ADD A NEW IMAGE 


1. Location 

Enter the full path (starting with /) to the image file. 

If the image is split (either raw or EnCase), then enter '*' for the 
extension. 


bs /home/jeenali/Desktop/image2* 


2. Type 
Please select if this image file is for a disk or a single partition. 


—_ O Disk Partition 


3. Import Method 

To analyze the image file, it must be located in the evidence locker. It can 
be imported from its current location using a symbolic link, by copying it, 
or by moving it. Note that if a system failure occurs during the move, 
then the image could become corrupt. 


@ localhost 


Split Image Confirmation 


The following images will be added to the case. 
If this is not the correct order, then you should change the naming convention. 
Press the Next button at the bottom of the page if this is correct. 


——_ 0 /home/jeenali/Desktop/image2.e01 


_— 
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_ Image file details will appear and the details of the file systems, the number of partitions and the 
mount points will be displayed and then you can click on ‘Add’ to proceed. 


@ localhost 


Image File Details 
Local Name: "/home/jeenali/Desktop/image2.e01" 


File System Details 


Analysis of the image file shows the following partitions: 


Partition 1 (Type: Basic data partition) 

Add to case? 

Sector Range: 2048 to 1085439 

Mount Point: c: File System Type: 
Partition 2 (Type: EFI system partition) 

Add to case? 

Sector Range: 1085440 to 1288191 

Mount Point: D: File System Type: 
Partition 3 (Type: Microsoft reserved partition) 

Add to case? 

Sector Range: 1288192 to 1320959 

Mount Point: /3/ File System Type: 
Partition 4 (Type: Basic data partition) 

Add to case? 

Sector Range: 1320960 to 83884031 


Mount Point: E: 


File System Type: 


Now the Autopsy will test the partitions and links them to the evidence locker, then click on ‘Ok’ to 


proceed. 


) localhost 


Testing partitions 
Linking image(s) into evidence locker 
Image file added with ID img1 


Disk image (type gpt) added with ID vol1 


Volume image (2048 to 1085439 - ntfs - C:) added with ID vol2 
Volume image (1085440 to 1288191 - fat32 - D:) added with ID vo13 
Volume image (1288192 to 1320959 - raw - /3/) added with ID vol4 
Volume image (1320960 to 83884031 - ntfs - E:) added with ID vols 


GNITe 


Technologies 


www.hackingarticles.in 


Now select the volume to be analyzed and click on ‘Analyze’. 


@ localhost 


Case: Casel 
Host: Client 


Select a volume to analyze or add a new image file. 


CASE GALLERY 


mount 
disk 

Cif 

D:/ 

raw 

Ef 


Host GALLERY 


nhame 


image2. 
image2. 
image2. 
image2. 
image2. 


FILe Activiry TIME LINES 


File Analysis 


e01-disk 

e01-2048- 1085439 
e01-1085440-1288191 
e01-1288192-1320959 
e01-1320960-83884031 


ADD IMAGE FILE 


HELP 


IMAGE INTEGRITY 


VIEW Notes" 


Host MANAGER 


On 
fs type 
raw details 
ntfs details 
fat32 details 
raw details 
ntfs details 


HASH DATABASES 


EVENT SEQUENCER _ 


Now, it will ask you to choose the mode of analysis that you want to conduct and here we are 


, i an Co @ localhost 


 seessase foment 


conducting analysis of file, therefore click on ‘File Analysis’. 


FILE TYPE IMAGE DETAILS _ META DATA DATA UNIT ; 


To start analyzing this volume, choose an analysis mode from the tabs above. 
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Now files will appear, which will give you the list of files and directories that are inside in this volume. 
From here you can analyze the content of the required image file and conduct the type of investigation 
you prefer. You can first generate a MDS hash list of all the files present in this volume to maintain 
the integrity of the files, hence click on ‘Generate MDS List of Files’. 


) localhost 


FILE ANALYSIS | KEYWORDSEARCH FILE TYPE IMAGE DETAILS META DATA DATA UNIT HELP CLOSE 
Z x 


Directory Seek Current Directory: c:/ 


Enter the name of 
a directory that 
you want to view. 
C:y/ 


V/V 256: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 
(UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 000 
1 us/ fd SAttrDef 2019-10-30 2019-10-30 2019-10-30 2019-10-30 


VIEW 


02:15:58 (IST) 02:15:58 (IST) 02:15:58 (IST) 02:15:58 (IST) 
Eile Name Search: r/r $Badclus 2019-10-30 2019-10-30 2019-10-30 2019-10-30 
Pere 02:15:58 (IST) 02:15:58 (IST) 02:15:58 (IST) 02:15:58 (IST) 
regular expression r/r _ SsadClus:s8ad 2019-10-30 2019-10-30 2019-10-30 2019-10-30 554692608 
Poise wanes 02:15:58 (IST) 02:15:58 (IST) 02:15:58 (IST) 02:15:58 (IST) 
you want to find, r/r _ $aitnap 2019-10-30 2019-10-30 2019-10-30 2019-10-30 16928 
02:15:58 (IST) 02:15:58 (IST) 02:15:58 (IST) _ 02:15:58 (IST) 


| Now you can see the MDS values of the files in volume C of the image file. 


i) localhost 


MD5 Values for files in C:/ (image2.e01-2048-1085439) 


ad617ac3906958de35eacc3d90d31043 $AttrDef 
d41d8cd98f00b204e9800998ec f8427e $BadClus 
d41d8cd98f00b204e9800998ec f8427e $BadC lus : $Bad 
9e573661e664f9fe17e9994fF68cfcebf $Bitmap 
56be2ed9e3d8fal3c8601b4b4005c048 $Boot 
f0a15b15al6edf984bfb1688f12bbc27 $LogFile =g¢-———_ 
d79a6bdb2341ab892664648e1406cedd $MFT 
Of2e6acdceecd0a34d50956a6be74747 $MFTMirr 
db406c8849fb549bb219c7ac88cfa74f $Secure:$SDS 
29c8d340eedb44039c942149ee9 fea72 $Secure: $SDH 
Oe f04368ef411190e098df2d950ff15a $Secure:$SII 
7££498a44e45e77374cc7c962b1b92F2 $UpCase 
dd81a6db3b14245dc2e5ae4d3bf40140 $UpCase:$Info 
d41d8cd98f00b204e9800998ec f8427e $VoLume 
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| The file browsing mode consists of details of the directories that are shown below. The details include 
the time and date of the last time the directories were Written, Accessed, Changed and the time it 
was created with its size and also about its metadata. All the details are displayed in this, so in order 

_ to view the metadata, click on the ‘Meta’ option of Log file that you want to view. 


Det ‘Type 


dir / in 


NAME WRITTEN 


Error Parsing File (Invalid Characters?): 
V/V 256: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 
(UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 000 


slat fig 
pS a 
rir 
Ever, 
1H (53 


d/d 


sAttrDef 2019-10-30 
02:15:58 (IST) 
$BadClus 2019-10-30 
02:15:58 (IST) 
$BadClus : $Bad 2019-10-30 
02:15:58 (IST) 
$Bitmap 2019-10-30 
02:15:58 (IST) 
$Boot 2019-10-30 
02:15:58 (IST) 
Sextend/ 2019-10-30 
02:15:58 (IST) 
$LogFile 2019-10-30 
02:15:58 (IST) 
SMET 2019-10-30 
02:15:58 (IST) 
SMETMirr 2019-10-30 
02:15:58 (IST) 
$Secure:$SDH 2019-10-30 
02:15:58 (IST) 
$Secure:$SDS 2019-10-30 


2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 


2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 


2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 
02:15:58 (IST) 
2019-10-30 


554692608 


16928 


8192 


552 


4374528 


262144 


4096 


56 


263604 


Here you can see the metadata information about the directory. In order to see more details, click on 
the first cluster ‘44067’ in order to view its header information to find any relevant information to the 


case. 


FILE ANALYSIS KEYWORD SEARCH 


FILE TYPE IMAGE DETAILS 


Parent MFT Entry: 5 Sequence: 5 


META DATA 


DATA UNIT 


_ HELP CLOSE 
? 4 
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Allocated Size: 4374528 Actual Size: 4374528 
Created: 2019-10-30 02:15:58.098799200 (IST) 

File Modified: 2019-10-30 02:15:58.098799200 (IST) 
MFT Modified: 2019-10-30 02:15:58.098799200 (IST) 
Accessed: 2019-10-30 02:15:58.098799200 (IST) 


Attributes: 


$STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 


$FILE_NAME (48-2) Name: N/A Resident size: 82 


DATA (128-1) Name: N/A Non-Resident size: 4374528 init size: 4374528 
068 44069 44070 44071 44072 44073 44074 


44083 44084 44085 44086 44087 44088 44089 44090 
44091 44092 44093 44094 44095 44096 44097 44098 
44099 44100 44101 44102 44103 44104 44105 44106 
44107 44108 44109 44110 44111 44112 44113 44114 


44131 44132 44133 44134 44135 44136 44137 44138 
44139 44140 44141 44142 44143 44144 44145 44146 
44147 44148 44149 44150 44151 44152 44153 44154 


44179 44180 44181 44182 44183 44184 44185 44186 
44187 44188 44189 44190 44191 44192 44193 44194 
44195 44196 44197 44198 44199 44200 44201 44202 
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| Here you can see the information about the header of the cluster. 


FILE ANALYSIS _ KEYWORD SEARCH FILE TYPE _ IMAGE DETAILS | METADATA DATA UNIT HELP CLOSE 
y 


Xx 


Cluster 
Number: 


44067 


Number of 
Clusters: 


1 


Cluster 
Size: 4096 


Address Type: 


Regular (dd) 


| Then in order to view the file types of the directories, then click on ‘File Type’ 


<— S 1) localhost a = 


FILE ANALYSIS | KEYWORDSEARCH | __ FILE TYPE IMAGEDETALS —_— META DATA DATAUNIT mr CLOSE 


pe a 
Directory Seek Current Directory: c:/ 
App Notre GENERATE MD5 LIST OF FILES | 
Enter the name of 


DEL NAME Ow WRITTEN 


Type 
dir / in 
Error Parsing File (Invalid Characters?): 
VV 256: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 
(UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0 0 0 
r/r $attrDef 2019-10-30 2019-10-30 
02:15:58 (IST) 02:15:58 (IST) 
File Name Search r/r sBadClus 2019-10-30 2019-10-30 
02:15:58 (IST) 02:15:58 (IST) 


Seidl ghee r/r $BadClus:$8ad 2019-10-30 2019-10-30 


regular expression 
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‘File Type 


) Here you will be able to sort the files based on the different types of files in the volume. By using this 
feature, you can examine allocated, unallocated as well as hidden files. To sort the file, click on ‘Sort 


| Files by Type’. 


FILE ANALYSIS | KEYWORD SEARCH FILETYPE = IMAGEDeTALS = METADATA —-——s~DATAUNIT. ~—s— HELP CLOSE 
On 7 | xX 
View Sorted Files In this mode, Autopsy will examine allocated and unallocated files 
and sort them into categories and verify the extension. 
This allows you to find a file based onits type and find "hidden" files. 


WARNING: This can be a time intensive process. 


/ Click on ‘Sort files into categories by type’ which is selected by default and then click ‘OK’ to start 
| sorting the files. 


FILE ANALYSIS | KEYWORD SEARCH. FILETYPE _—_—s IMAGE DETAILS METADATA —__—s DATA UNIT | 


\ 


File Type Sortings 


View Sorted 


Files The sorter tool will process an image and organize the files 


based on their file type. The files are organized into categories 
that are defined in configuration files. The categories will be 
saved in the output directory. 


WARNING: This will overwrite any existing data in: 
/var/lib/autopsy/Casel1/Client/output/sorter-vol2/ 


Sort files into categories by type 
Do not save data about unknown file types 


Save a copy of files in category directory (may 
require lots of disk space) 


Save ONLY graphic images and make thumbnails 
(may require lots of disk space and will save to a 
different directory than sorting all file types) 


Extension and File Type Validation 
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The categories of the file types will be displayed. Now to view the sorted files, click on 
“View sorted files’ and you will be displayed the list of sorted files. 


_FILe ANALYSIS _ KEYWORD SEARCH FILE TYPE j ; IMAGE DETAILS J META DATA J 
«\ 


esa e /var/lib/autopsy/Case1/Client/images/image2.e01 


Files Files (38) 
Files Skipped (13) 


e Non-Files (13) 
e Reallocated Name Files (0) 
e ‘ignore’ category (0) 


Extensions 
e Extension Mismatches (0) 
Categories (25) 


e archive (0) 

e audio (0) 

e compress (0) 

e crypto (0) 

e data (17) 

e disk (2) 

e documents (1) —_— 
e exec (0) 

e images (3) ~— 
e system (0) 

e text (0) 

e unknown (2) 

e video (0) 
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The output folder locations will vary depending on the information specified by the user when first 
creating the case, but can usually be found at /var/lib/autopsy/Case1/Client/output/sorter- 
vol2/index.html. Once the index.html file has been opened, click on the images to view its contents. 


file:///var/lib/autopsy/Case1/Clien 


sorter output 


e /var/lib/autopsy/Case1/Client/images/image2.e01 
Files (38) 
Files Skipped (13) 

e Non-Files (13) 


e Reallocated Name Files (0) 
e ‘ignore’ category (0) 


Images 


Extensions 
e Extension Mismatches (0) 
Categories (25) 


archive (0) 
audio (0) 
compress (0) 
crypto (0) 
data (17) 

disk (2) 
documents (1) 
exec (0) 
images (3) <——————_- 
system (0) 
text (0) 
unknown (2) 
e video (0) 
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Now you can see Images categories and further investigate the files depending on the case requirement. 


file:///var/lib/autopsy/Casei/CLlien 


images Category 


C:/$Extend/$RmMetadata/$TxfLog/$TxfLog.blf 

Targa image data - Map 33355 x 50764 x 1 "" 

Image: /var/lib/autopsy/Case1/Client/images/image2.e01 Inode: 
33-128-1 


C:/$Extend/$RmMetadata/$TxfLog 
/$TxfLogContainer00000000000000000001 

Targa image data - Map 65536 x 65536 x 1 "" 

Image: /var/lib/autopsy/Case1/Client/images/image2.e01 Inode: 
34-128-1 


C:/$UpCase 

Targa image data -Map6x7x8+4+5 

Image: /var/lib/autopsy/Case1/Client/images/image2.e01 Inode: 
10-128-1 


Image Details 


Now click on the Image details options to view the important details about this image file. 


GNITe 


< (es @ localhost 


FILE ANALYSIS KEYWORD SEARCH FILE TYPE IMAGE DETAILS META DATA 
Oo 


Directory Seek Current Directory: c:/ 
ADD NoTe GENERATE MD5 LIST OF FILES 

Enter the name of 
a directory that 
you want to view. DEL Type NAME Ow WRITTEN 
C:/ dir / in ; 
Error Parsing File (Invalid Characters?): 
V/V 256: $OrphanFiles 0000-00-00 00:00:00 (UTC 
(UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:( 
———— ite a $AttrDef 2019-10-30 

2 02:15:58 (IST 
File Name Search r/r $BadClus 2019-10-30 
02:15:58 (IST 


€Radelinec+¢Rad 210 1n Wn 


VIEW 


Enter a Perl 
regular expression 


Technologies 


www.hackingarticles.in 
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Here in this option of file analysis you can see file system information, first cluster of MFT, 
_ cluster size etc. 


€ iy @ localhost { = 


FILE ANALYSIS KEYWORD SEARCH FILE TYPE IMAGE DETAILS META DATA 


\ 
General File System Details 


FILE SYSTEM INFORMATION 


File System Type: NTFS “’———— 
Volume Serial Number: 9EAGDEOBA6DDE435 
OEM Name: NTFS 

Volume Name: Recovery 

Version: Windows XP 


METADATA INFORMATION 


First Cluster of MFT: 45141 ~<————— 
First Cluster of MFT Mirror: 2 

Size of MFT Entries: 1024 bytes 

Size of Index Records: 4096 bytes 

Range: 0 - 256 

Root Directory: 5 


CONTENT INFORMATION 


Sector Size: 512 

Cluster Size: 4096 <——— 
Total Cluster Range: 0 - 135422 
Total Sector Range: 0 - 1083390 


$AttrDef Attribute Values: 

$STANDARD INFORMATION (16) Size: 48-72 Flags: Resident 
$ATTRIBUTE LIST (32) Size: No Limit Flags: Non-resident 

$FILE NAME (48) Size: 68-578 Flags: Resident, Index 

$OBJECT ID (64) Size: 0-256 Flags: Resident 

$SECURITY DESCRIPTOR (80) Size: No Limit Flags: Non-resident 


www.hackingarticles.in 


| Keyword Sea rch | 


) To ease the search of a file or document you can make use of keyword search option to make your 
investigation time-efficient. Click on ‘Keyword Search ‘to proceed. 


a 


@ localhost 


FILETYPE __) IMAGE DETAILS) METADATA __) __ 


Current Directory: c:/ 
ADD NOTE | GENERATE MDS5 LIST OF FILES _ 


Enter the name of 
a directory that 
ou want to view. Type 
ep DEL ae 7 1a NAME Ow WRITTEN 
Error Parsing File (Invalid Characters?): 
V/V 256: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0( 
— (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:( 
a rye $AttrDef 2019-10-30 
02:15:58 (IST) 
02:15:58 (IST) 
eeaeriapebecs r/r  $8adClus:$8ad + 2019-10-30 


regular expression 
for the file names 02:15:58 (IST) 
¢€Ritman 92n10N 1N Wn 


you want to find. 


/ You can input the keyword or any relevant string to proceed with the investigation and click on 


' search. 


<-v-oc@C @ localhost 


)SEARCH FILETYPE _IMAGEDETALS _ METADATA 


FILE ANALYSIS 
LY 


Keyword Search of Allocated and Unallocated Space 


Enter the keyword string or expression to search for: 
————_ _ Jeenali 


@ ASCII © Unicode 
grep Regular 


Case Insensitive Expression 


ca EXRACT UNALLOCATED 


Regular Expression Cheat Sheet 


EXTRACT STRINGS 
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Autopsy for Windows 


Creating a New Case 


Run the Autopsy tool on your Windows Operating System and click on “New Case” to create a new 
case. 


Timeline 


| Welcome 


Open Recent Case 


Open Case 


Autopsy’ 


OPEN | EXTENSIBLE | FAST 
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Then fill in all the necessary case information like the case name and choose a base directory to save 
all the case data in one place. 


dd New Case Information 


Steps 

1. Case Information 

2. Optional Information Case Name: Ignite 

Base Directory: C:\Users\yaj\Desktop 


Case Type: © Single-user Multi-user 
Case data will be stored in the following directory: 
C:\Users\raj\Desktop Ignite 


a New Case Information 


Steps 


1. Case Information 
2. Optional Information 


Organization 


Organization analysis is being done for: 
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Now let us add the type of data source. There are various 
types to choose from. 


e Disk Image or VM file: This includes the image file which can be an exact copy of a hard drive, 
media card, or even a virtual machine. 

e Local Disk: This option includes devices like Hard disk, Pen drives, memory cards, etc. 

e Logical Files: It includes the image of any local folders or files. 

e Unallocated Space Image File: They include files that do not contain any file system and run 
with the help of the ingest module. 

e Autopsy Logical Imager Results: They include the data source from running the logical imager. 

e XRY Text Export: This includes the data source from exporting text files from XRY. 


dd Add Data Source 


Steps Select Type of Data Source To Add 


1. Select Type of Data 
Source To Add 
2. Select Data Source Disk Image or VM File 
3. Configure Ingest Modules 
4. 


. Add Data Source 


Local Disk 


Logical Files 


Unallocated Space Image File 


Autopsy Logical Imager Results 


XRY Text Export 


Finish 
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Now let us add the data source. Here we have a previously created image file, so we will add the 
location of that file. 


‘Add Data Source 
Steps Select Data Source 


1. Select Type of Data Source To Path: 
Add 
2. Select Data Source C:\Users\yaj\Desktop\Ignite.E01 
3. Configure Ingest Modules 
4. Add Data Source (J Ignore orphan files in FAT file systems 
Time zone: + (GMT-8:00) America/Los_Angeles 


Sector size: Auto Detect 


Hash Values (optional): 
MDS: 

SHA-1: 

SHA-256: 


NOTE: These values will not be validated when the data source is added. 


Finish 


| Next, you will be prompted to Configure the Ingest Module. 


dé Add Data Source 
Steps 


1. Select Type of Data Source To 
Add i: 
Select Data Source The selected module has no per-run settings. 


Configure Ingest Modules 
Add Data Source 


File Type Identification 
Extension Mismatch Detector 
Embedded File Extractor 
Picture Analyzer 

Keyword Search 

Email Parser 

Encryption Detection 
Interesting Files Identifier 
Central Repository 
PhotoRec Carver 

Virtual Machine Extractor 
Data Source Intearity Extracts recent user activity, such as Web browsing, recently us... 


Global Settings 


w 


elect All Deselect All 


Finish 
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The contents of the Ingest module are listed below: 


Recent Activity 


Extension Mismatch 


Detector 

Hash Lookup 
File Type 
Identification 
Embedded File 
Extractor 
Keyword Search 


Email Parser 


Encryption 
Detection 
Interesting File 
Identifier 
PhotoRec Carver 


Virtual Machine 
Extractor 

Data Source 
Integrity 


INGEST MODULE 


It is used to discover the recent operations that were performed on the 
disk, like the files that were viewed recently. 

It is used to identify files whose extensions were tampered with or had 
been changed to hide the evidence. 

It is used to identify a particular file using its hash value. 

This is used to identify files based on their internal file signatures than 
just the file extensions. 

It is used to extract embedded files like .zip, .rar, etc. and use those files 
for analysis. 

This is used to search for any particular keyword or a pattern in the 
image file. 

This is used to extract information from email files if the disk holds any 
email database information. 

This helps to detect and identifies encrypted password-protected files. 


Using this feature the examiner is notified when results pertaining to 
the set of rules that are defined to identify a particular type of file. 

This helps the examiner to recover files, photos, etc. from the 
unallocated space on the image disk. 

It helps to extract and analyze if any Virtual machine is found on the disk 
image. 

It helps to calculate the hash value and store them in the database. 


Data Source information displays basic metadata. Its detailed analysis is displayed at the bottom. It 
can be extracted one after the other. 


SS Ignite - Autopsy 4.17.0 
Case View Tools Window Help 


_ 
Add Data Source BBR tmaces Videos ij Communications 9 Geolocation | Timeline a Discovery |, Generate Report @ Close Case ¥ 


oO Listing 
Data Sources 


Sig = (Data Sources Table Thumbnail 


Views 
File Types 
re) By Extension 
|) By MIME Type 
© application 
 @\ image 
oy text 
Hy Deleted Files 
a} MB File Size 
= Results 
cB Extracted Content 
\ Keyword Hits 
Re  Hashset Hits 
©, E-Mail Messages 
>K Interesting Items 
ri Accounts 
i Tags 
s Reports 


Name Type Size (Bytes) 
Gi lonite.£01 Image 


File Metadata 
Page: 1 of 3931909 Go to Page: 


0x00000000: EB 52 S0 4E 20 20 20 00 08 00 00 
0x00000010: 00 00 00 00 3F 00 FF 00 EO 03 
0x00000020: 00 00 00 00 0 FF D7 1B O01 00 00 
0x00000030: 00 00 OC 00 oo ¢ 02 00 00 00 00 
ox00000040: Fé 00 00 00 oo ¢ 17 SS BE €4 7€ 
0x000000S0: 00 00 00 00 E DO BC 00 7C 07 
Ox000c00o0dcO: 1F lE €8 €€ O OE 00 €€ 81 00 4E 
0x00000070: S4 4€ 53 75 AA 55 CD 13 20 FB 
0x00000080: SS AA 75 0€ 75 03 ES DD EC 
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Views 


It can be classified in the form of File extension or MIME type. 
It provides information on file extensions that are commonly used by the OS whereas MIME types are 
used by the browser to decide what data to represent. It also displays deleted files. 


Note: These file types can be categorized depending 
on Extension, Documents, Executables. 


db Ignite - Autopsy 4.17.0 
Case View Tools Window Help 


ella Add Data Source BBA images Videos bi Communications 9 Geolocation S Timeline 
Listing 

Types 
Table Thumbnail 


Name 


189 
— ©, By Extension 


Videos (0) 
Audio (0) © By MIME Type 
Archives (0) 
Databases (0) 
© Documents 
+} © Executable 
)& By MIME Type 
Hy Deleted Files 
} MB File Size 
-)|&} Results 
cM Extracted Content 
“A Keyword Hits 
% Hashset Hits 
©) E-Mail Messages 
>] Interesting Items 
Fa Accounts 
(ij Tags 
& Reports 
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By Extension 


In the category Filetypes by extension and you can see that this has been sub-divided into file types 


like images, video, audio, archives, databases, etc. 


Images (189) 
Videos (0) 
Audio (0) 
Archives (0) 
Databases (0) 
+}- & Documents 
Executable 
MIME Type 
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Listing 


By Extension 
Table Thumbnail 


File Type 

Bh Images (189) 
lL Videos (0) 

Bh Audio (0) 

© Archives (0) 
Databases (0) 


®, Documents 


Vi 0 
B Audio (3) 
& Archives (0) 
i Databases (0) 


=} & Documents 


HTML (86) 
Office (0) 
PDF (5) 
Plain Text (1196) 
\ Rich Text (2) 
©, Executable 
i .exe (639) 


72, .arj, tar, .gzip, .bzip, .bzip2, .cab, .jar, .cpio, .ar, .gz, .tgz, .b2z2 


wmv, smpy, Flv, .swF 


ogg 


\ images.jpg 

ye f0583984.bmp 
y f0675458.png 
y f0690680.png 
BS SISRSEBH. jpg 
§S SRSRSEBH. jpg 


J €8379953e2e8ae 3c 18bafcf23aa02ca0.j 


IGNITE TECHNOLOGIES 


On viewing the thumbnail, you can view the file metadata and details about the image. 


Table Thumbnail 


Page: lofi 


Pages: 


IGNITE TECHNOLOGIES 


images. jpg 


/img_Ignite.E0 1/images.jpg 


Go to Page: 


Hex Text Application |File Metadata 
From The Sleuth Kit istat Tool: 


MFT Entry Header Values: 
49 
$LogFile Sequence Number: 
Allocated File 


1 
16885331 


Entry: Sequence: 


+ 


Links: 


Annotations 


STANDARD INFORMATION Attribute Values: 


Flags: Archive 
ID: 0 
Security ID: 


Owner 
271 (S-1 
Created: 

ile Modified: 
MFT Modified: 
Accessed: 


2020-11-26 
2020-11-2€ 
2020-11-26 
?FILE NAME Attribute Values: 
Flags: Archive 
$R3RSEBH.jpg 
Parent MFI Entry: 40 
8192 
2020-11-2¢€ 
2020-11-26 
2020-11-26 


2020-11-2€ 


Name: 
Sequence: l 
Allocated Size: 
Created: 

ile Modified: 
MFT Modified: 
Accessed: 08:59:01 
ZOBJECT_ID Attribute Values: 


Obiect Id: 
< 
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Actual Size: 
08:20:24. 
08:20:24. 
08:59:01. 


-5-21-127€730070-1850728493-3020 
2020-11-2€ 08:20:24. 
08:20:24. 
09:00:35. 
08:59:53. 


482€72700 
€€7704200 
829441300 
8¢€0554000 


(PST) 
(PST) 
(PST) 
(PST) 


7e41 
482€72700 
€€7704200 
714957400 
-704974100 


3£d39b21-2£45-lleb-ala0-001b10002aec 
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Here we can also view a few audio files that have been recovered. We can extract these files from the 
system and hear to them using various software. 


Office (0) 
PDF (5) 


Plain Text (1196) 
Rich Text (2) 


Documents 


y £1248504.wav 


S$ C OQ Modified Time 
1 0000-00-00 00;00;00 
1 
Properties 
View File in Directory 


View in New Window 
Open in External Viewer Ctrl+E 


View File in Timeline... 


Extract File(s) 


The documents are categorized into 5 types: HTML, office, PDF, Plain Text, Rich Text. 
On exploring the documents option, you can see all the HTML documents present, you can click on 
the important ones to view them. 


Name 


@ Forensic Investigation Autopsy Forensic Browser in Linux.html 


Videos (0) 
Audio (3) 
Archives (0) 
Databases (0) 
Documents 


c 
i - Office (0) 


lj PDF (5) 
if Plain Text (1196) 
‘of Rich Text (2) 
©, Executable 
BR .exe (639) 
ify vil (1312) 
fi .bat (0) 
i [ij .cmd (0) 
‘ij .com (0) 
] By MIME Type 
(6 application 
©, audio 


Technologies 


») a.html 
©) a_002.html 
) fastbutton. html 


© like.html 
< 


Hex Text Application File Metadata Context Results Annotations Other Occ 


Page: 1 of 3 Page 


> | Matches on page: - of - Match 


Hacking Articles 


j Chandel's Blog 


CTF Challenges 
Penetration Testing 
Web Penetration Testing 


Red Teaming 
Donate us 


Courses We Offer 
o Bug Bounty 


Computer Forensics 


° 
o Ethical Hacking 
° 


Red Teaming 


yTC“(Ct;eL 


On exploring the PDF option, you can also find the important PDF in the disk image. 


Listing i 
| PDF 
| Table Thumbnail 


Modified Time 
B | $1029 125.pdf 2020-11-26 09:04:16 PST 
I A | | $RO2Y 125. pdf : 2020-02-29 11:02:57 PST 
B3 | Android Pentesting.pdf 2020-10-23 01:42:19 PDT 
¢ Bug Bounty Course Details.pdf 2020-11-26 09:04:18 PST 
vw £0184904.pdf 0000-00-00 00:00:00 


Results Annotations Other Occurrences 


» +) | 2B 
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| Similarly, the various Plain text files can also be viewed. You can also recover deleted plain text files. 


Rich Text (2) 
xecutable 

.exe (639) 

dil (1312) 

bat (0) 

«cmd (0) 
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S C OQ Modified Time 


2020-11-26 


\ Ignite.E01.txt 


w* 70484218. txt 
< 


Hex Text 


Strings Indexed Text 


Page: 1 of 1 Page 


ONOTICE: The imaging operation was cancelled! 


Created By AccessData® FIK® Imager 4.3.1.1 


Case Information: 

Acquired using: ADI4.3.1.1 

Case Number: 001 

Evidence Number: AUOOL 

Unique description: Hacking Articles 
Examiner: Vishva 


Information for E-:\Ignite: 


Physical Evidentiary Item (Source) Informatio 
(Device Info] 

Source Type: Logical 

[Drive Geometry] 

Bytes per Sector: 512 

Sector Count: 125,821,080 

(Physical Drive Information] 

Removable drive: False 

Source data size: €143€ MB 

Sector count: 125821080 
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Executables 


| These file types are then sub-divided into .exe, .dll, .bat, .cmd and .com. 


€ 


Data Sources 
=| Views 
=} & File Types 
G2 By Extension 
[i Images (202) 
5 feos (0) .exe (639) exe 
BR Audio (3) -dil (1312) dll 
& Archives (0) .bat (0) .bat 
: he Databases (0) .cmd (0) cmd 


com (0) com 


File Extensions 


HTML (86) 
Office (0) 

PDF (5) 

Plain Text (1196) 
Rich Text (2) 


.exe (639) 
-dil (1312) 
-bat (0) 
.cmd (0) 
«com (0) 
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By Mime Type 


In this type of category, there are four sub-categories like application, audio, image, and text. They 
are divided further into more sections and file types. 


=) 


By MIME Type 


x-dosexec (557) 

pdf (3) 

x-font-ttf (9) 

rtf (2) 

x-msdownload (1482) 
xml (92) 

xhtml+xml (2) 

json (4) 

octet-stream (14915) 
x.windows-registry (27) 
javascript (75) 


vnd.wave (3) 
eG penal 
foi vnd.microsoft.icon (2) 


[i bmp (1) 

gif (1) 
png (164) 
jpeg (14) 
svg+xml (14) 
vnd.zbrush.pcx (1) 
webp (18) 


LL ae ee 


x-java-source (57) 
css (27) 
x-fortran (3) 
plain (1153) 
x-chdr (24) 
xml (43) 

csv (5) 
x-csrc (3) 
html (136) 
x-ini (29) 
x4og (2) 
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Deleted Files 


3 Data Sources 
=|) Views 
= G5 File Types 
= By Extension 
Images (202) 
Videos (0) 


c 


Fy Ey EP) ET) AP) 


f t 
> & & 


€ 


i, J 


HG text 
iy File System (86) 
yx All (18484) 
MB File Size 
|| Results 
=} BM Extracted Content 
i--€/> Metadata (6) 
“© Recycle Bin (4) 
& Web Downloads (3) 
tA Keyword Hits 
% Hashset Hits 


MB size Files 


Page: lofi 


K K KK KK KK KK KK KK KK KK 


Name 


20201014.mem 

adencrypt.dil 

adencrypt_gui.exe 
adfbfs_globals.dll 

adfs_globals.dll 

ADG_EULA.rtf 

ADIso.exe 

ADIsoDLL.dl 

adshattrdefs. dll 

adtz_globals.dll 

ad_globals. dil 

ad_log.dll 
boost_chrono-vc140-mt-1_59.dll 
boost_date_time-vc140-mt-1_59.dll 
boost_filesystem-vc140-mt-1_59.dll 
boost_regex-vc140-mt-1_59.dll 
boost_system-vc140-mt-1_59.dll 
boost_thread-vc140-mt-1_59.dll 


Modified Time 


2020-05-11 21:03:48 PL 


2020-05-11 21:03:46 PC 


2020-05-11 21:03:46 PL 


2020-05-11 21:03: 


2020-05-11 21:03: 


2020-05-11 21:03: 


2020-05-11 21:0 


2020-05-11 21 


(04:10 PDT 


3:50 PD 


In this, the files are categorized based on their size starting from SOMB. This allows the examiner to 


look for large files. 


+ y Deleted Files 
> MB ES 
i MB 50 - 200MB (1) 
MB 200Ms - 1GB (2) 
MB 1icB+ (3) 
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Listing 


Size 
Table Thumbnail 
Page: 
Size Range 
MB 50 - 200MB (1) 
MB 200M6 - iGB (2) 
MB icB+ (3) 


In this section, we get information about the content that was extracted. 


Extracted Content 


All the content that was extracted, is segregated further in detail. Here we have found metadata, 
Recycle Bin, and web downloads. Let us further view each one of them. 


Ignite - Autopsy 4.17.0 
|Case View Tools Window Help 
oF Add Data Source irs Images/Videos gy Communications 


€ 


=) Data Sources 
4G Ignite.£01 
5)\@ Views 
+: & File Types 
Gy Deleted Files 


4} MB File Size ee 
| Results © Recyde Bin (4) 
Sm © extracted Content] © Web Downloads (3) 
in-€/> Metadata (6) 
“© Recycle Bin (4) 
&) Web Downloads (3) 
cA Keyword Hits 
% Hashset Hits 
(@, E-Mail Messages 
>K Interesting Items 
Fay Accounts 
4 Tags 


Metadata 


Here we can view all the information about the files like the date it was created, to was modified, file's 
owner, etc. 


@ Data Sources 
4 i) Ignite.£01 
@ Views 
 & File Types 
Hy Deleted Files 
4} MB File Size 
{E) Results </> Android Pentesting.pdf 2020-10-23 08:42:07 PDT 2020-10-23 08:42:10 PDT =| Ignite.E01 
& a Extracted Content </> ADG_EULA. rtf 2016-02-25 02:55:00 PST Ignite.E01 
i</> Metadata (6) </> FTKImager_UserGuide.pdf 2012-03-21 20:52:22 PDT 2012-03-21 11:26:46 PDT Ignite.E01 
iw © Recycle Bin (4) 
% Web Downloads (3) 
“A Keyword Hits 


Source File Date Modified Date Created Owner Data Source 
</> $RO2Y 1Z5.pdf 2020-02-29 19:02:56 PST 2020-02-29 19:02:56 PST Ignite Tech... Ignite.E01 


</> £0184904. pdf 2012-03-21 20:52:22 PDT 2012-03-21 11:26:46 PDT Ignite.E01 


</> 0002808. rtf 2016-02-25 02:55:00 PST Ignite.E01 
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Recycle Bin 


| The files that were put in the recycle bin are found in this category. 


4} B) Ignite.£01 

Views 

©, File Types 

Hy Deleted Files 

+} MB File Size 

(| Results 

= extracted Content 
io€/> Metadata (6) 


« EEO 


Web Downloads 


© SRDISPAY.E01 
© SRKIMRRO. txt 
© $RO2Y1Z5.pdf 


‘images. jpg 2020-11-26 09:00:35 PST 


‘\Ignite.E01 2020-11-26 08:56:22 PST 
‘\Ignite.E01.txt 2020-11-26 08:56:22 PST 


‘\Bug Bounty Course Details. pdf 2020-11-26 09:04:18 PST 


| Here you can see the files that were downloaded from the internet. 


Source File 


ion€/> Metadata (6) 

* Recycle Bin (4) 

fam Web Downloads (3) 
“A Keyword Hits 


v URL Domain 


# Forensic Investigation Autop: https: }www.hackingarticles.i... www.hackingarticles.in 
4 ignite.jpg:Zone. Identifier 
@ SR3RSEBH.jpg:Zone.Identifie https: /encrypted-tbn0.gstati,.. 


https: {imedia-exp1.licdn.com/... media-exp1.licdn.com 


encrypted-tbn0.gstatic.com 


In this, any specific keywords can be looked up for in the disk image. The search can be conducted 
concerning the Exact match, Substring matches, Emails, Literal words, Regular expressions, etc. 


: 

XQ Single Literal Keyword S 

)--A Single Regular Expressic 
\ Email Addresses (1026) 
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\ Single Literal Keyword Search (0) 
\ Single Regular Expression Search (0) 
\ Email Addresses (1026) 
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| You can view the available email addresses. 


sults 

Extracted Content 
Keyword Hits 

\ Single Literal Keyword Search (0) \ admin @vietbacsecurity.com (1) 

ingle Requilar Fypressian Search (0 \ admin @youtubeplayer.com (1) 

>L_Emal adéresses (1025) \ admnin@youtubespeedup.com (1) 
aS is \ adobe @flash.com (1) 

\ adservices@accessdata.com (2) 

\ adsremoval@adsremoval.net (1) 

\ advance @windowsclient.com (1) 
A. af-za @dictionaries.addons.mozilla.org (1) 


List Name 
\ addons @mozilla.org (1) 


| You can choose to export into a CSV format. 


List Name 
\ oo8abed! ab Save 
\ 05dd836¢ 
\ 1234567¢ 
\ 12x3q@3 oy 
\ 1@mozilla ral 
 thasicall Recent Items 


Save in: iB Export 


\ ichtw@f 
\tcomman = 
A tcomman Desktop 
\ icontent 
A tcrashset ES 

\ lcspservi — Documents 
\ 1formhist 
\ igeneraly 
\ Igeneralq This PC 
\ tidle-dailj 
\ linstallery ; 

: ae w File name: emails 
\ 1Im-devta 


Network Files of type: | csy file 
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Timeline 


By using this feature, you can get information on the usage of the system in a statistical, detailed, or 


list form. 


oe 
eolocation Discovery |j, Generate Report @ Close Case 


a Timeline - Editor 


Display Times In: @) Local Time Zone GMT / UTC 


# History => Forward 


2 Zoom 
Time Units: 


Event Type: 


Description Detail: 


Filters 


@ Apply Reset 


Crier Types te 


y. Limit event types to 


Display Times In: @) Local Time Zone GMT / UTC 


#5 History, @= Back | => Forward 


Minutes 


Description Detail: 
Medium 


Y Filters 


WV Apply Reset 


We Ty pes ee 


v Limit event types to 


@ Hidden Descriptions 
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View Mode: 


Number of Events (Logarithmic) 


= Detai 


May June July August 
2020 


View Mode: jij; Counts [= cera | 


All Events (Filtered) 


January 


Start 


Jan 27, 2020 11:33:00 PM 


El olS-1-5-21-1276730070-1850728493-30201559-1001/S1 
2 Document Last Saved —_ 


& Document Created (2) 


18} 


/Bug Bounty Course Details.pdf (4) 


[3 


/USB.txt (4) 
| 2 


[A 2 


/20201014.mem (4) 
t = 


June August November 


© 


od. Timeline - Editor 


@ Local Time Zone GMT / UTC 


Display Ti In: = ~ 
br Abc View Mode: jj Counts = Details 


© History | @= Back | =} Forward 


_ Filters Date/Time Event Type Description 
oiiaaien| ipaices 2020-02-06 05:18:36 ] M__ /$Orpha ... LA.rtf 
Pp ese’ : 
2020-03-01 00:32:57 | M__ /SRECY ... Z5.pdf 


Must include text: 


2020-03-01 08:32:56 
2020-03-01 08:32:56 
2020-03-10 09:42:02 M /SOrpha ... gpl.txt 


Document L... Documen...d: : 


Document... Documen...d: : 


Must be tagged 


Must have hash hit 


Limit data sources to 2020-03-10 09:48:50 L] M__ /$Orpha ... gpl.txt 

Limit file types to 2020-04-10 21:12:08 _e /SRECY ... Z5.pdf 

Limit event types to 2020-04-10 21:12:08 im _B_ /Bug Bo... ils.pdf 
2020-05-12 01:06:40 7] M__ /$Orpha ... ter.dll 
2020-05-12 09:33:46 | M__ /$Orpha ... ui.exe 
2020-05-12 09:33:46 ] M__ /$Orpha ... _59.dll 
2020-05-12 09:33:46 | M__ /$Orpha ... als.dil 


2020-05-12 09:33:46 [| M. /$Orpha ... log.dil 


Start | Jan 27, 2020 11:33:00 PM (GC) 


Discovery 


| This option allows finding media using different filters that are present on the disk image. 


a Discovery 


Step 1: Choose result type 


Step 2: Filter which images to show 


] File Size: : Possibly User Created 


Large: 1-50MB Hash Set: 
XLarge: 50-200MB 


Interesting Item: 


Object Detected: 


Parent Folder: |Windows/ (: 
(Program File 


7 Past Occurrences: jown (NSRL) 
Very Common (100+) 
Common (11 - 100) 
Rare (2-10) 
Unique (1) 


Full 


(All will be used) Include 


< 
Step 3: Choose display settings 


Group By: Parent Folder ~ | Order Within Groups By: | File Name 


Order Groups By: Group Size v 
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| According to the selected options, you can get the desired results. 


a Discovery - Editor 


Discovery X 


Results with Type: Image; Size(s): Large, XLarge, XXLarge; Data source(s): Ignite.E01(1); Past 
New Search occurrences: Common (11 - 100), Rare (2-10), Unique (1) 


Groups 


fimg Tanite.£01/ (1 Go to Page: Page Size: 100 v 


...d Pentesting.pdf/image0.jpg 


Size: 5 MB 
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Images/Videos 


| This option is to find images and videos through various options and multiple categories 


Case View Tools Window Help 


dd. Image/Video Gallery - Editor 


Image/Video Gallery | 


@ Data Source: | All 
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¥ J) img_Ignite.£01 (2) wee Sh Autopsy Forensic el ma 
sp Android Pentesting.pdf (4) Browser in Linux_files/a_data/ 


mw ; — f -- 0 hash set hits / 2 files 
v (28) ...igation Autopsy Forensic Browser in Linux_files (48) 


28) a_data (2) ® Tag Selected Files: 
Y (& $Extend 
Yv (pj $RmMetadata 
28) $TxfLog (1) 
> (3) $OrphanFiles 
> [5 unknown 
> Ba Mozilla Firefox 
Y (& $RECYCLE.BIN 
® «-- 1276730070-1850728493-30201559-1001 (1) 


PASSWORD 
DUMPING 
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Child Exploitation (Illegal) 
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CGI/Animation (Child Exploi... 
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Non-pertinent 
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Add File Tag 


| Tagging can be used to create bookmarks, follow-up, mark as any notable item, etc. 


Name MDS5 Hash 
—_]} NUANAMrs_normal.jpg C4#00S456 /OF 202ZYaD Lb LDSCrUsSCOG Lea 
Bi ignit--- <e26fe43d0e7 7ba63iel Sed 
imag Properties = 
Bima View File in Directory }439eb593fc1508a2h6 

fj imac View in New Window jaf200e500Fe13a479bc315771 

& imac Open in External Viewer Ctrl+E }2a9158cae499aF4cadcho4 

Bi imac View File in Timeline... 575b713c8444034d0 

(imac 5439eb593fc1 61407 39cc7F 

Bi Extract File(s) 

imac 
= Export selected rows to CSV eo ae Saar 
(S imac }2a9158cae499aF4cadch64370722 


Bima AddFileTag [Bookmark 


(Bi 2.pn Remove File Tag Follow Up 

(SS) Lpr : ; Notable Item (Notable) 
: Add/Edit Central Repository Comment 

(SS 10.7 Project VIC 


I] 115 Add File to Hash Set 
(& 12.png 


jaf200e500fe13a479bc31577eba0 


Tag and Comment... 
New Tag... 


Ignite - Autopsy 4.17.0 
Case View Tools Window Help 


4 @) Ignite.£01 
@ Views 
 & File Types 
(Hy Deleted Files 
+} MB File Size 
+)-[E) Results (3 Follow Up (1) 
a [Be Notable Item (Notable) (1) 


& Reports Project VIC: Child Exploitation (Illegal) (Notable) (1) 
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Generate Report 


Once the investigation is done, the examiner can generate the report in various formats according to 
his preference. 


dd Generate Report 


Select and Configure Report Modules 


Report Modules: 
@ HTML Report A report about results and tagged items in HTML format. 


© Excel Report 
O Files - Text Header: Report 
CO Save Tagged Hashes 
CO TSK Body File 

© Google Earth KML 
Osmx 

O CASE-UCO 

O Portable Case 


Footer: |Details| 


| Check the data source whose report needs to be generated. 


ad Generate Report 


Select which data source(s) to include 


| Ignite.£01 
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| Here we chose to create the report in HTML format. 


ReportName Created Time Report File Path 


2020-11-28 15:42:58 IST  C:\Usersiraj\Desktop\Ignite\Reports\Ignite HTML Rep) 


dd Report Generation Progress... 


Comp! 
HTML Report : C:\Users\yaj\Desktop Ignite \Reports Ignite HTML Report 11-28-2020-15-42-58\yeport.html 
Complete 


| Kudos! Your Autopsy Forensic Report is ready! 


Autopsy Forensic Report 


Report Navigation 
Case: Ignite 
Case Number: 001 


Case Summary 


Keyword Hits (1026) 
Number of data 1 
> Metadata (6) sources in case 


Recycle Bin (4) Examiner: vishva 


Tagged Files (4) 
Tagged Images (4) Image Information: 


Tagged Results (0) aren 


Web Downloads (3) 
Timezone: America/Los_Angeles 


Path: C:\Users\raj\Desktop\Ignite.E01 
Software Information: 


Autopsy Version: 
Android Analyzer Module: 
Central Repository Module: 


Data Source Integrity Module: 


Drone Analyzer Module: 
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